Email Security Best Practices for Phishing

Posted by Catherine Young

The sheer volume of phishing emails that floats around the internet daily is staggering.  Tech Republic reports that more than 3 billion fake emails are sent every day.  CSO Online estimates a new phishing site is created every 20 seconds.

You may think you’ve got the right safeguards in place, but consider these statistics:

  • Nearly 10% of phishing emails make it through spam filters
  • More than 4% of phishing emails get opened
  • 10% of the phishing emails that are opened lead to a click on a malicious link
  • As many as 80,000 victims fall for an email phishing scam daily.

All it takes is one click on one phishing email to put your organization at risk.

A Layered Approach to Email Security

You should take a layered approach to email security.  A strong anti-phishing email solution is critical to protecting your organization.  You also need to combine that with strong policies and procedures, threat assessments, and consistent employee training.

It’s not enough to throw up a firewall, deploy a spam filter, and rely on the built-in protections of your email provider.  Threat actors are employing sophisticated and relentless strategies to bypass these protections.  They’ve had a lot of practice and they’ve had a lot of success.

Here are some of the most essential email security best practices that your organization should employ:

Strong Policies and Procedures

Your best practices for email security should including strong policies and procedures.  It should include clear expectations of how employees use email -both company email and private email on company devices.  This should include items such as using strong passwords and changing them regularly, the dangers of using public Wi-Fi, and other safe email security practices.

It should also include procedures such as clicking on links or opening attachments from external or unknown sources, and verification of requests before fulfilling financial transactions or providing sensitive information.

Evaluate Your Vulnerabilities

A phishing simulation can tell you a lot about your staff’s approach to email security best practices.  Your IT team can create mock phishing emails and send it out to users to see how many fall victims or report it to IT as suspicious.  This can be the basis for training. INKY offers a complimentary Phishing Analysis.

Institute Awareness Training

Even if you have strict policies in place, you still need to do regular assessments and awareness training. 

That’s because nearly a third of all reported incidents (32%) are the result of human error.  Employees answer emails all day long, firing off a response, or clicking on a link.  It’s just so easy to click on the wrong thing if it makes it through your filters.

Scan Incoming Emails Before They Get to Your Employees

Every email should be scanned before passing through to your organization with anti-phishing software.  The right solution will quarantine suspicious emails, flag potential problems, and can detect even the most minute details in phishing emails.

Look for software that replaces links with proxies and tests them out before allowing them to end up in team members’ inboxes.

Include Bold, Unmistakable Warnings in The Body of The Email

Some anti-phishing software will pass through emails with only adding words such as “external email” after the sender’s email address.  Such warnings are missed or ignored due to the significant number of emails that originate outside your organization. 

Other providers will put warning messages only within the subject line.   These warnings may get truncated when users look at their email on mobile devices or easily missed when users are quickly scanning email or routinely clicking on the next email on their list.

You want an anti-phishing software solution that puts bold and unmissable warnings in the body of the email. INKY offers a phishing alert banner that is more powerful than any out there and is the future of email security.

Don’t Rely on Blacklists

When a URL or email address is recognized as suspicious, it gets put on a so-called blacklist so that email filters will prevent these emails from getting through.  Most anti-phishing solutions on the market, including those built into G Suite, Exchange, and Office 365, rely on these blacklists to prevent phishing email.  Here’s the problem with that.  Once something gets put on a blacklist, cybercriminals simply move to new URLs and email addresses.  

You need to employ an anti-phishing solution that does not just rely on these blacklists to keep you safe.  It should be able to recognize such zero-day attacks even before they make it onto blacklists.

Relentless Email Protection

INKY is relentlessly effective at email protection.  Whether you use Exchange, Office 365, G Suite, or other email platforms, INKY can integrate seamlessly and catch even the most sophisticated phishing threats, including:

  • Malware and Ransomware
  • Spear Phishing
  • Zero-Day Attacks
  • Brand Forgery
  • CEO Fraud
  • Domain Spoofing

INKY sees things other anti-phishing software solutions miss - from the daily onslaught of spam to emerging phishing threats that haven’t made blacklists yet. It displays bold warning messages in the banner in the body of the email where they can’t be missed.  This acts as a warning to users and helps provide education at the same time.

As a key component of your best practices for email security, INKY is a thin, but powerful, layer of protection for your organization’s email platform that helps prevent you from becoming a victim of phishing emails.

Get a demo of the INKY email security platform today.

 

Topics: email security